Microsoft security: Not a patch on what's needed

Another new year, another new Windows exploit. Although the WMF exploit hasn't been as cataclysmic as predicted, there's still time. Microsoft has said there'll be no patch until it's good and ready, sometime next week. This leaves millions of Windows users with a difficult decision: accept a patch from someone we know nothing about, or risk the exploit.

Microsoft is in a trap of its own making: it literally cannot fix this problem. It has a duty to thoroughly test patches it issues, and a legacy of hundreds of Windows installation variations on which to test them. It also has a duty to close down vulnerabilities as quickly as possible, as an aggressive exploit can hit thousands of computers in the first few minutes of its life.

It boils down to risk management: will a potentially imperfect patch hurt more than a potentially malevolent exploit? That is an unpleasant but acceptable decision: security is all about balancing risks. Where Microsoft went wrong is in not supporting the decision makers regardless of their choice, in claiming that in all circumstances it knew best and that a quick patch was wrong.

What Microsoft should do in the future is to make early versions of the patch available as soon as it has some confidence in them. It should be frank about the status of the patch, giving as much detail as possible about what it has been tested on so far — but then it should leave the decision as to whether patching is appropriate to the people at the sharp end. The company is happy to circulate own-risk betas of operating systems and applications; it should accept the same model for its security updates.

It is unacceptable that we should have to rely on third-party patches from people who have been denied the level of system detail open only to Microsoft employees. If Microsoft is not willing to open up its source to help the security community and if it is unable to produce guaranteed patches fast enough, it must at least respect the ability of its users to make their own decisions. If it can't make its software secure, it owes us that much — at least.